GDPR came into force in 2018. Seven years later, a surprising number of businesses still treat it as a checkbox exercise rather than a genuine legal obligation. That's understandable — the regulation is dense, the guidance is often conflicting, and enforcement felt distant for a long time.

It no longer does.

Regulators across Europe have significantly increased enforcement activity, and fines are no longer reserved for large corporations. Small and medium-sized businesses have been penalised for failures that could have been prevented with basic compliance measures.

What GDPR actually requires

At its core, GDPR requires that any personal data you collect — names, email addresses, payment details, browsing behaviour — is collected lawfully, stored securely, used only for the purpose it was collected, and deleted when it's no longer needed.

It also requires that the people whose data you hold can access it, correct it, and in many cases request that you delete it entirely.

Where businesses most commonly fall short

The most frequent issue we encounter is consent. Many businesses collected email addresses years ago under vague terms and have been marketing to those contacts ever since. Under GDPR, that consent may not be valid — particularly if it wasn't specific, informed, and freely given.

The second is data retention. Businesses often hold personal data indefinitely with no policy governing when it should be deleted. This is both a compliance failure and a liability.

The third is third-party processors. If you use any external software — a CRM, an email platform, a payment processor — you are likely sharing personal data with third parties. GDPR requires that these relationships are governed by data processing agreements, and many businesses simply don't have them in place.

What a compliance audit looks like

A proper GDPR audit maps every point at which your business collects, stores, or processes personal data. It reviews your privacy policy, your consent mechanisms, your internal data handling procedures, and your agreements with third-party processors.

It's not a glamorous exercise. But it is a necessary one — and far less painful than a regulatory investigation.

The cost of getting it wrong

Fines under GDPR can reach €20 million or 4% of global annual turnover, whichever is higher. For small businesses, even a fraction of that figure is significant. Beyond fines, a data breach or regulatory finding damages client trust in ways that are hard to quantify and harder to recover from.

Compliance isn't a one-time project. It's an ongoing commitment — and one that Lawden can help you build into the way your business operates.